From e98f6d68bdabaffe90c6a4e8707114c7a1d4e19c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 6 Mar 2026 19:15:55 +0100
Subject: [PATCH 1/3] Revert "wip: test renovate"

This reverts commit 05d8c39b75e00a3df17a61b690371c44d930e880.
Doesn't work.
---
 renovate.json | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/renovate.json b/renovate.json
index 0231949..41787b7 100644
--- a/renovate.json
+++ b/renovate.json
@@ -30,8 +30,7 @@
       "matchUpdateTypes": [
         "minor",
         "patch"
-      ],
-      "matchJsonata": ["isBreaking != true"]
+      ]
     },
     {
       "matchDatasources": ["docker"],
@@ -41,8 +40,7 @@
     {
       "matchDatasources": ["docker"],
       "matchPackageNames": ["docker.io/pretalx/standalone"],
-      "matchUpdateTypes": ["minor"],
-      "isBreaking": true
+      "versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
     }
   ],
   "customManagers": [

From f345ff5e0023dfade75889ecea2b6139c7463ed0 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 6 Mar 2026 19:53:24 +0100
Subject: [PATCH 2/3] renovate: make exclusion of CalVer non-patch/-minor
 upgrades work

Pretix and Pretalx both use CalVer, so we don't want to have upgrades to
their second number be identified as minor updates and get grouped with
all the other minor and patch updates.
The regex to re-classify the second number as major doesn't work.
Probably because of:
"Important: all capture groups must contain only purely numeric values."
(https://docs.renovatebot.com/modules/versioning/regex/)
So instead match on the minor update type for Pretix and Pretalx and set
the group name to null.
---
 renovate.json | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/renovate.json b/renovate.json
index 41787b7..9a6baba 100644
--- a/renovate.json
+++ b/renovate.json
@@ -35,12 +35,14 @@
     {
       "matchDatasources": ["docker"],
       "matchPackageNames": ["docker.io/pretix/standalone"],
-      "versioning": "regex:^(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
+      "matchUpdateTypes": ["minor"],
+      "groupName": null
     },
     {
       "matchDatasources": ["docker"],
       "matchPackageNames": ["docker.io/pretalx/standalone"],
-      "versioning": "regex:^v(?<major>\\d+\\.\\d+)(?:\\.(?<minor>\\d+))$"
+      "matchUpdateTypes": ["minor"],
+      "groupName": null
     }
   ],
   "customManagers": [

From 0788fde69dd514a9e891ac00d493eaea01b7d78a Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Thu, 5 Mar 2026 20:23:36 +0100
Subject: [PATCH 3/3] only allow sops encryption of *.sops.* files

---
 .sops.yaml | 60 +++++++++++++++++++++++++++---------------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/.sops.yaml b/.sops.yaml
index c659d62..fcb0b45 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -43,170 +43,170 @@ keys:
 
 creation_rules:
   ## group vars
-  - path_regex: inventories/chaosknoten/group_vars/all.*
+  - path_regex: "inventories/chaosknoten/group_vars/.+\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           *host_chaosknoten_age_keys
-  - path_regex: inventories/external/group_vars/all.*
+  - path_regex: "inventories/external/group_vars/.+\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           *host_external_age_keys
-  - path_regex: inventories/z9/group_vars/all.*
+  - path_regex: "inventories/z9/group_vars/.+\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
   ## host vars
   # chaosknoten hosts
-  - path_regex: inventories/chaosknoten/host_vars/acmedns.*
+  - path_regex: "inventories/chaosknoten/host_vars/acmedns\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_acmedns_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/cloud.*
+  - path_regex: "inventories/chaosknoten/host_vars/cloud\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_cloud_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/keycloak.*
+  - path_regex: "inventories/chaosknoten/host_vars/keycloak\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_keycloak_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/grafana.*
+  - path_regex: "inventories/chaosknoten/host_vars/grafana\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_grafana_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/pad.*
+  - path_regex: "inventories/chaosknoten/host_vars/pad\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_pad_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/ccchoir.*
+  - path_regex: "inventories/chaosknoten/host_vars/ccchoir\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_ccchoir_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/pretalx.*
+  - path_regex: "inventories/chaosknoten/host_vars/pretalx\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_pretalx_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/netbox.*
+  - path_regex: "inventories/chaosknoten/host_vars/netbox\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_netbox_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/tickets.*
+  - path_regex: "inventories/chaosknoten/host_vars/tickets\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_tickets_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/onlyoffice.*
+  - path_regex: "inventories/chaosknoten/host_vars/onlyoffice\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_onlyoffice_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/zammad.*
+  - path_regex: "inventories/chaosknoten/host_vars/zammad\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_zammad_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/ntfy.*
+  - path_regex: "inventories/chaosknoten/host_vars/ntfy\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_ntfy_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/eh22-wiki.*
+  - path_regex: "inventories/chaosknoten/host_vars/eh22-wiki\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_eh22_wiki_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/sunders.*
+  - path_regex: "inventories/chaosknoten/host_vars/sunders\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_sunders_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/wiki.*
+  - path_regex: "inventories/chaosknoten/host_vars/wiki\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_wiki_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/renovate.*
+  - path_regex: "inventories/chaosknoten/host_vars/renovate\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_renovate_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/lists.*
+  - path_regex: "inventories/chaosknoten/host_vars/lists\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_lists_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/mumble.*
+  - path_regex: "inventories/chaosknoten/host_vars/mumble\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_mumble_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/public-reverse-proxy.*
+  - path_regex: "inventories/chaosknoten/host_vars/public-reverse-proxy\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_public_reverse_proxy_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/spaceapiccc.*
+  - path_regex: "inventories/chaosknoten/host_vars/spaceapiccc\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_spaceapiccc_ansible_pull_age_key
-  - path_regex: inventories/chaosknoten/host_vars/mjolnir.*
+  - path_regex: "inventories/chaosknoten/host_vars/mjolnir\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_mjolnir_ansible_pull_age_key
   # external hosts
-  - path_regex: inventories/external/host_vars/status.*
+  - path_regex: "inventories/external/host_vars/status\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
         age:
           - *host_status_ansible_pull_age_key
   # z9 hosts
-  - path_regex: inventories/z9/host_vars/dooris.*
+  - path_regex: "inventories/z9/host_vars/dooris\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
-  - path_regex: inventories/z9/host_vars/yate.*
+  - path_regex: "inventories/z9/host_vars/yate\\.sops\\..+"
     key_groups:
       - pgp:
           *admin_gpg_keys
   # general
-  - key_groups:
-      - pgp:
-          *admin_gpg_keys
+  - path_regex: ".+\\.sops\\..+"
+    key_groups:
+      - pgp: *admin_gpg_keys
 
 stores:
   yaml: